Think that because your business is not the size of a Target, JPMorgan Chase or Sony means that you’re immune from today’s breed of cyberthreats? Think again. Just because small and medium-sized businesses (SMBs) don’t have the financial resources or the brand reputation many enterprises do doesn’t mean hackers aren’t targeting them, recent studies show.

Why exactly are SMB organizations in these hackers’ crosshairs? It isn’t so much as what’s on their networks, but how attackers can use those networks. “The hackers are looking at that network as another means, as another jump-off point, to go out and get some other networks. They want to turn your network into basically a botnet,” said Page Moon, CIO of Focus Data Solutions, an IT and Web hosting firm, at an IT Nation 2014 session in Orlando, Fla., last year. In other words, SMBs’ systems are a potential entry point into other, larger networks.

And what do SMB IT pros believe is their top cybersecurity vulnerability? Employees. According to a 2014 study by digital security firm Gemalto, which surveyed 438 IT professionals who work in SMB organizations, 77% of these IT pros believe employees to be the single weakest link in their security infrastructure, and a similar percentage — 75% — say that employees, particularly the risk of them unintentionally leaking data, are their top cloud security concern. And there might be a reason for these fears. According to the findings, the two security challenges that top the IT pros’ lists are social engineering (48%) and BYOD management (42%), which both involve employees.

Social engineering threats expected to rise

The first of these security hurdles, social engineering, is a particularly devious form of cyberthreat because it exploits the fact that many SMBs — their employees and IT pros alike — are lacking in security education; for instance, many believe that only back-end operations are vulnerable to the latest cyberattacks, said Moon. And this security gap has a wider scope, according to the authors of Symantec’s 2014 Internet Security Threat Report (ISTR), which examined trends in 2013. “While the ease of installation and cost of maintenance may have decreased, many new administrators are perhaps not familiar with how to secure their servers against attacks from the latest Web attack toolkits,” the authors write. SMB IT admins also aren’t necessarily diligent about security, such as staying up to date with the latest patches, they said.

Social engineering is lucrative for hackers. For example, 62,000 attacks of one common type of social engineering, spear phishing, raked in $233 million in October 2013 alone. Not a shabby profit, considering that one can buy a spam service to send out half a million phishing emails for only $75, according to RSA, the security division of EMC Corp. And spear phishing aimed at SMBs has been on the rise in recent years: In the Symantec study, 41% of the IT pros who work in companies with 1 to 500 employees reported this type of attack in 2013 — a 5% increase from the previous year. And according to Angel Grant, senior manager for anti-fraud solutions at RSA, social engineering attacks are poised to increase this year.

Employee education reduces risks

It’s clear that it’s not just Fortune 500 companies that are the targets. So how can SMBs arm themselves with the limited resources that they have? For starters, implementing the best security tools and technologies you can afford, perhaps cloud-based security apps, is certainly critical. But you also need to educate your employees. The benefits that come with equipping employees with the knowledge of how to effectively deal with threats are quantifiable — doing so can reduce security risks by up to 70%, according to companies surveyed by the Aberdeen Group recently.

It’s important to note, however, that training employees doesn’t just mean teaching them best practices on creating complex passwords or how to spot suspicious emails, but also changing how they approach their interactions online in general, said Chris Hadnagy, founder of security training company Social-Engineer. “If you just want people to follow the rules — don’t think, just do — you create an easy environment for [hackers],” he told Inc.

What can you do to compete against service providers and take back control of your organization? SearchCIO expert Niel Nicholaisen offers a few tips on how to build a better IT service model.

This week, Google launched a set of business-focused technologies that allows employees to run their personal and corporate apps on their android device. Is Android for Work set to take the enterprise by storm and give Apple and Microsoft a run for their money? In this week’s Searchlight, Associate Editor Fran Sales discusses the program’s pros and cons. Plus, FCC ‘s net neutrality proposal passes and a sex bias lawsuit rocks Silicon Valley.

DevOps is a hot trend in IT that’s making companies more flexible and competitive. But, according to Gartner analyst David Cearley, the approach as it is typically practiced today doesn’t go far enough. Cearley explains why security needs to be included in DevOps models and gives tips on how to do it.

As explained in my previous post, “Tips for a smooth cloud migration,” the first big hurdle in a cloud migration is figuring out how to get all your data over to the cloud safe and sound.

“Those are good things to worry about and good things to get through,” Lilac Schoenbeck, vice president of product marketing and product management for iLand, a cloud provider, said during a webinar on cloud migrations. But once all the data has been successfully moved to the cloud, more planning still needs to be done. Failing to do so could put an additional management burden on the IT team, Schoenbeck said.

Here is one cloud provider’s tips on how to prepare for and manage the day-to-day once you’ve migrated to the cloud.

Find a provider with a clear, straightforward management environment.

Cloud providers can put heavy demands on the IT team. For example, they can require the IT team to understand their particular kind of scripting, as well as configure their particular management tools, Schoenbeck said. It’s important for IT leaders to figure out what the day-to-day will look like and how much additional work will be put on your staff. “[There are] different types of clouds, different underlying hypervisors, different systems are going to throw off different kinds of metrics,” she said, adding that these conditions could mean that the successful cloud migration could in fact become “an ongoing burden on your team.”

A good strategy? Find a cloud service that has an environment close to your on-premises environment, so it will be easier to operate and easier to evaluate if something goes wrong, Schoenbeck said.

Don’t get stuck with an unexpected bill.

“We always want to know what our costs are going to be. One of the big concerns moving to the cloud is maybe these costs could be very variable, and I might be stuck with a bill I didn’t anticipate,” Schoenbeck said.

She outlined two ways to mitigate that risk.

First, an IT leader or company could go with a provider who uses a reservation pricing model, which means that your costs are fixed month-to-month and you’ve basically reserved a pool of resources in the same way that you might have an on-premises pool of resources to allocate however you like,” Schoenbeck said.

The second option is a pay-as-you-go or the bursting model. With this model Schoenbeck said it’s important “to look for [a provider] who’s going to be really transparent on what you’ve spent so far and, in fact, even predictive about what you will be spending if your behavior continues as it is.”

This visibility will also allow IT leaders to communicate with stakeholders, the procurement team, and whoever else might want or need to know what the bill will likely be at the end of the month, she said.

Look for a provider with a customer-driven roadmap.

Schoenbeck said that some cloud providers will invest very little in management support. As your company juggles more and more projects in the cloud, it then becomes “more and more difficult to operate [and] you don’t actually have anybody… to help ease the way.”

That’s why it’s always important to look at the support options that come with the cloud service you’re planning to migrate to, Schoenbeck advises. She suggests that IT leaders choose a cloud provider that is going to work with you and work with what you need so that the management burden is minimized.

“Often times that’s going to make a big difference in what this means for your team operationally,” Schoenbeck said.

Migrating to the cloud may be a top mandate for CIOs, but it is no easy feat. In fact, cloud migrations “are notoriously difficult” and about 80% of them fail, Mark Broghammer, director of solutions engineering at iLand, a cloud provider, said during a webinar about cloud migrations.

Long term analysis, the method often used to try to gauge whether an application will work, doesn’t always help you predict whether an application or server will work well with the cloud service you are planning to migrate over to. “The fact is, you don’t know how an application’s going to work in the cloud,” Broghammer said.

This is where load testing, or performance testing, is helpful, Broghammer said. With load testing, a cloud testing provider can test an application or applications against the actual number of users expected. Based on the results of the test, a CIO or company can then gain better insight into how that cloud service will work for them and what the performance of their applications will look like when they actually migrate over to that cloud service.

Migrating physical vs. virtual workloads

We live in a hybrid IT world and companies aren’t uniform across the board when it comes to the type of technologies they’re using. Some companies have a mixture of legacy systems, on-premises, and off-premises services.

“The point is, how can you be cost efficient if you’re running many types of projects on systems being handled by different teams both internally and externally?” Broghammer said.

Different providers often have different systems in place and different processes. Therefore if you have a hybrid environment of different projects on different systems it can be difficult to coordinate everything. That’s why it’s important to make sure your providers have a single approach for the physical and virtual workloads that you are planning to migrate to the cloud, Broghammer said.

He added that now that there are multiple hypervisor program options out there, companies also need to make sure the same processes and systems are in place when choosing a hypervisor program to help them with their migration.

“When migrating, again, make sure the models of migrating different platforms follow the same technology set, or stack, that you’re using for those particular workloads,” he said.

Methods of sending data to the provider

There are several methods for getting your data over to your cloud provider, but the typical ways include physically shipping a drive with your data and/or replicating data.

When it comes to physically shipping a drive, it’s important to ask yourself: are you 100% comfortable with this method? Sure, you can send an encrypted drive, Broghammer said, but the fact is that that the drive and the data on it will pass through the hands of many people. “And the potential loss of that data could set you back in your timeframes,” Broghammer warned.

His suggestion? “I would tend to favor an over the wire approach” because the data would pass through fewer hands and there is added protection with service sockets layer (SSL) business process management (BPM).

“Where the data becomes a bit more stagnant (in other words, data that is just sort of sitting there and not much is being done with it) you need to have a multi-site or multi-location strategy with that,” Broghammer said. Even though you may be migrating certain pieces of your architecture into a cloud environment, Broghammer advises that you still may need to colocate and replicate the data.

CIOs are at a critical point in their evolution, and they need to find a way to stay relevant in a corporate culture, according to author Jill Dyché. In part one of one of her two-part feature story, Senior News Writer Nicole Laskowski chats with Dyché about how to cure the CIO identity crisis. In part two, Dyché explains the key factors that kill innovation.

Is the connected car the next big step toward an IoT-dominated future? In her latest Searchlight entry, Associate Editor Fran Sales highlights the buzz around a possible Apple car and discusses how it can help CIOs drive the conversation around IoT security. Also in Searchlight: U.S. spyware in foreign networks and Snapchat’s big funding proposal.

Speaking of IoT security, check out this #CIOChat recap to hear what SearchCIO followers and guest expert Harvey Koeppel have to say about mitigating IoT security risks amid a notable lack of precedent.

Hadoop is a powerful technology, but is it secure? In the latest Data Mill, read why Hadoop security is a different beast from traditional security, see a list of current Hadoop security projects, and get the latest 2015 budget expectations.

Think you know what the future holds for mobile networking? Take our quiz to assess your knowledge and review recent mobility and networking content.

It’s almost time for the next #CIOChat! Join SearchCIO editors and fellow tweeters Wednesday, Feb. 25, at 2 p.m. EST to talk about the death of the CIO as we know it. We’ll be discussing the challenges of modern CIOs and how CIOs can stay relevant in a digital enterprise. See you there!

Chief innovation officers are leading the charge and tasked with shaking up enterprise culture, but they can’t do it alone. Innovators at Hyatt, Merck and Nestlé Purina explain how new language, celebrating failures and a strong understanding of innovation culture are vital for business transformation.

The intersection of social, mobile, analytics and cloud (SMAC) is a disruptive force that is driving present and future business innovation. In the latest Essential Guide, learn tips on SMAC strategy and governance, hear from companies with successful SMAC integration and peek into the future of enterprise SMAC technologies.

Are you prepared for the new security paradigm? In this CIO Decisions e-zine, we explore how companies can strategize around data protection in order to stay ahead of their attackers and protect their valuable assets.

Speaking of net neutrality, it’s almost time for the next #GRCChat! Join SearchCompliance editors and fellow tweeters Thursday, Feb. 19, at 12 p.m. EST to talk net neutrality in the wake of the FCC proposal. We’ll be discussing the potential effects on innovation and the future of net neutrality practices. See you there!

It’s time to get your application consolidation education. Executive Editor Linda Tucci talks to two CIOs in the educational system for their take on app consolidation efforts. First up: Utah State University’s Eric Hawley discusses his team’s consolidation plans, which involve quick access to mobile data, CRM consolidation and the building of APIs. Then, Deepak Agarwal , CIO at the School District of Palm Beach County, shares his app consolidation success story and talks about the challenges and benefits of updating legacy apps.

The Federal Communications Commission (FCC) recently made a bold move on net neutrality. This week’s Searchlight explores the implications for CIOs. Plus: Anthem hacked, Google and Uber butt heads, and Target hires a new CIO from the UK.

New cyberthreats are everywhere — are your information security controls regimented? In this video interview, SearchCompliance editor Ben Cole talks with Christopher T. Pierson, executive vice president, general counsel and CSO at Viewpost, about the importance of continually monitoring and adapting security controls in the midst of increasingly sophisticated cyberthreats.

Disaster recovery (DR) is expensive — and not just because traditional disaster recovery services come at a very high price. Other factors contribute to the financial toll of DR: underfunded DR budgets, poor DR planning and testing procedures, and technological deficiencies, all of which contribute to the failure of critical applications, data center outages and data loss. These, in turn, can amount to anywhere from a few thousand dollars to a whopping $5 million in losses, according to a 2014 study by the Disaster Recovery Preparedness Council.

To small and medium-sized businesses (SMBs), many of which lack the necessary resources to properly implement or test an effective DR plan, these circumstances can be disheartening. Luckily, cloud computing and virtualization have been playing a greater role in DR — and opening up more, and less costly, options for SMBs.

The cloud, in particular, is “ideal as a data protection scheme,” according to George Crump, president of analyst firm Storage Switzerland. That’s because “you get a secondary site, it’s generally several disaster zones away, and it really is generally made for that effort,” he said. And unlike traditional DR schemes, the business doesn’t have to manage the off-site data center itself.

Where DRaaS fits in your business continuity scheme

Disaster recovery as a service (DRaaS), a particular breed of cloud DR, is taking off among SMBs, and not only because of its pay-per-use pricing model. DRaaS allows businesses to replicate and host their virtual machines (VMs) in the cloud so that, in the event of a catastrophe, they don’t have to wait to move all of their data back to their data center — they can just start up those VMs. This means significantly reduced recovery time. Plus, DRaaS providers offer their own service-level agreements, DR planning and testing, network operations, support, and even self-service admin tools — more enticements for SMBs that aren’t adequately staffed or equipped to fully handle DR themselves.

Moving to DRaaS isn’t such a huge leap for SMBs, according to SearchCloudStorage Site Editor Andrew Burton. “It’s a good deal for SMBs, as many are heavily virtualized, and as such are probably already using a backup software product that has the ability to replicate VMs to the cloud,” he said.

This all might sound too good to be true, but the statistics prove otherwise. For instance, in a 2013 study conducted by cloud backup provider Intronis Inc. and analyst firm The 2112 Group, more than 50% of SMBs that rely on an IT service provider for backup and recovery are using cloud-based technologies. And a 2012 survey by research firm Aberdeen found that midsized businesses suffered 50% fewer instances of downtime and 20% of the financial losses of those who used in-house DR; they also recovered three times faster than the latter group.

DRaaS options and use cases

SMBs aren’t the only ones availing themselves of the perks of DRaaS. Both established DR and backup vendors and burgeoning startups are making swift moves in this space. VMware, for example, added cloud disaster recover features to vCloud Hybrid Service, its infrastructure as a service offering. And startup Zerto just garnered $26 million in funding last year, which went into its Cloud Fabric product, which transports virtualized workloads between cloud providers.

Bit9, a software security company based in Waltham, Mass., is one midsized company that’s benefited from the DRaaS feature offered by cloud storage provider TwinStrata. The feature allows users to start up vSphere servers in the cloud and run live copies of data and apps without having to rebuild their servers. Combined with Veeam’s Backup & Replication product, which enables IT director Bill Suarez to replicate to multiple locations while making synchronous backup copies at another location, “we could have our email flowing again within a business day,” he said.

You and your DRaaS provider are on the hook

DRaaS doesn’t come without warnings and downsides. For instance, once a DRaaS provider runs your apps in the cloud, you need to make sure you fully understand what that provider’s cloud computing service-level agreement entails, Crump explained. Plus, moving data to the cloud takes up a lot of bandwidth, and you need to make sure you and your provider can accommodate it. And, after the catastrophe has passed, you need to have worked out a plan with your provider on synchronizing the application data in the cloud with your primary servers, all without disrupting critical processes.

According to Crump and fellow Storage Switzerland analyst Erick Slack, make sure to ask your provider the following questions:

Do you have the infrastructure to run the applications I need?

Can you allocate the compute resources to run these applications at my desired performance level?

Can you guarantee uptime?

Can you offer the same level of support if a regional catastrophe brings down multiple clients’ data centers?

If your DRaaS provider can’t meet these requirements, Crump said, it could be time to look elsewhere.

Is data encryption enough to ensure data protection? According to Edward Snowden, the answer is no. At Harvard University’s fourth annual Symposium on the Future of Computation in Science and Engineering, which took place last week, Snowden joined security technology expert Bruce Schneier to talk open source encryption, policies and privacy, the Data Mill reports.

IoT devices are great, but the personal privacy and security implications cannot be ignored, according to a new Federal Trade Commission (FTC) report. Associate Site Editor Francesca Sales highlights the report’s key findings in this week’s Searchlight. Plus: Apple breaks the bank again and Amazon gives Microsoft’s Outlook some competition.

Is your company looking to consolidate data centers? AMD CIO Jake Dominguez knows a thing or two about that, having consolidated 18 data centers down to two. Read Dominguez’s story and get tips on the right way to proceed with your IT consolidation strategy.

Success and failure of a big data strategy hinges on a few key factors. Before you start you next big data project, read Senior News Writer Nicole Laskowski’s latest Data Mill to familiarize yourself with the do’s and don’ts of big data.

Will Microsoft’s Windows 10 usher in a new category of computing? At the recent Windows 10 announcement event, Microsoft unveiled a holographic headset, personal digital assistant Cortana and the Continuum interface, among other developments aimed at reeling back in consumers and enterprises. The latest Searchlight addresses the details and implications of the Windows 10 announcement.

As SearchCIO Columnist Brian Barringer writes, crowdfunding finance methods have been around since the 17th century, but the phenomenon that we’re familiar with – spurred by sites like Kickstarter and Indigogo — has only been around for a few years. Is this form of financing a good option for your small business? Barringer gives his take on crowdfunding for small businesses.

Refresh your knowledge of TechTarget’s 2014 Information Technology Salary and Careers Survey with the latest Essential Guide, and learn about IT executives’ compensation, salary trends across the IT landscape and 2015 project priorities.

Speaking of the 2014 salary survey, Mark Schlack, TechTarget’s Senior Vice President of Editorial, presents a 2015 information technology outlook based on the results of the survey, indicating higher budgets and more cloud services in the coming year.

It’s almost time for the next #CIOChat! Join SearchCIO editors and fellow tweeters Wednesday, Jan 28, at 3 p.m. EST to talk Internet of Things (IoT) security. We’ll be discussing whether the enterprise is prepared for the security implications of IoT and much more. See you there!